106
edits
Talk:Extension Manager:Addon Update Security:Signature: Difference between revisions
Jump to navigation
Jump to search
Talk:Extension Manager:Addon Update Security:Signature (view source)
Revision as of 21:13, 16 September 2007
, 16 September 2007more discussion
No edit summary |
(more discussion) |
||
| Line 31: | Line 31: | ||
2. The signed manifest is the update manifest. This is the update information that is automatically retrieved periodically to find updates for the add-on. It is necessary to sign the update manifest because it can be retrieved over insecure channels. The final downloaded updated add-on (the xpi file) is protected by virtue of the fact that it must either be available on a https url, or there must be a hash provided for the xpi. | 2. The signed manifest is the update manifest. This is the update information that is automatically retrieved periodically to find updates for the add-on. It is necessary to sign the update manifest because it can be retrieved over insecure channels. The final downloaded updated add-on (the xpi file) is protected by virtue of the fact that it must either be available on a https url, or there must be a hash provided for the xpi. | ||
Dave, I agree that it is reasonable to require that "it must either be available on a https url, or there must be a hash provided for the xpi." but (unlesss I'm misunderstanding it) the example given on User:Mossop:Fx-Docs:AddonUpdateSignature has neither. It has http URLs, not https, and I see no hashes in it. Where's the protection? Where are the signed hashes in the example? | |||
Please specify the expected/required syntax of a DSA signature. | |||
/Nelson | |||